[Ovirt-devel] [PATCH node-image] set SELinux enforcing temporary to permissive

[Jim Meyering]

Alan Pevec <apevec at redhat.com> wrote:
> otherwise SELinux modules do not get loaded in livecd install chroot
>
> Signed-off-by: Alan Pevec <apevec at redhat.com>
> ---
>  ovirt-node-image.spec.in |   13 +++++++++++--
>  1 files changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/ovirt-node-image.spec.in b/ovirt-node-image.spec.in
> index 58b6e46..33fd78d 100644
> --- a/ovirt-node-image.spec.in
> +++ b/ovirt-node-image.spec.in
> @@ -58,8 +58,17 @@ EOF
>  mkdir -p %{ovirt_cache_dir}/node-image-tmp
>  mkdir -p %{ovirt_cache_dir}/yum
>
> -sudo su - -c "cd $(pwd) && livecd-creator --skip-minimize -c %{name}.ks -f %{name} \
> -               --tmpdir='%{ovirt_cache_dir}/node-image-tmp' --cache='%{ovirt_cache_dir}/yum'"
> +sudo su - -c "cd $(pwd) &&
> +              if [ $(cat /selinux/enforce) = 1 ]; then

To be on the safe side, use double quotes around the $(...) result.
Otherwise, when the file is empty or nonexistent (I saw the latter
recently, before SELinux worked), then you get a shell syntax error.

                 if [ "$(cat /selinux/enforce)" = 1 ]; then

Alternatively, use a case stmt, where you don't need the quotes:

    case $(cat /selinux/enforce) in
        1) enforcing=1 ; setenforce 0 ;;
        *) enforcing=0 ;;
    esac

Hmm...  I wrote the above, then realized that this code is within
a double-quoted string, so you can't naively double-quote the string
as I first suggested.

> +                enforcing=1
> +                setenforce 0
> +              else
> +                enforcing=0
> +              fi
> +              livecd-creator --skip-minimize -c %{name}.ks -f %{name} \
> +               --tmpdir='%{ovirt_cache_dir}/node-image-tmp' \
> +               --cache='%{ovirt_cache_dir}/yum'
> +              setenforce \$enforcing"
>  sudo su - -c "cd $(pwd) && ./ovirt-pxe %{name}.iso"
>  sudo su - -c "cd $(pwd) && chown -R $USER ."